Worm Malware Forensic Analysis

Executive Summary

Worms are a unique form of malware which spread across networks without an attacker needing to guide it. They can cause system slowdowns, data corruption, and unauthorized access to sensitive information. Corporations can protect themselves against this threat through regular security patches/scans, network segmentation and giving employees regular security training. Ultimately, a strong security policy is needed to ensure the company’s best practice is effective against this ongoing threat.

Background

The term “worm” was inspired by the 1975 novel The Shockwave Rider by John Brunner, which described self-replicating programs in a network. Worms work in the same way and exploit vulnerabilities in operating systems, network protocols, or software to self-replicate and spread across systems. [4] The first malicious worm, the Morris worm, was released in 1988 by Robert Tappan Morris. It exploited vulnerabilities in Unix systems and spread uncontrollably, affecting about 10% of the early internet. Worms gain access by exploiting security flaws such as unpatched systems, weak credentials and phishing. Once it’s inside a system, it copies itself into memory, files, or hidden directories to establish persistence. [6] Using network scanning techniques such as IP range probing, Server Message Block or Remote Desktop Protocol, they can locate and infect other vulnerable devices all on their own. 

Impact

A recent example of a worm attack was the Linux-based worm strain in January 2024. This version of the malware targeted Linux systems specifically on a global scale and installed cryptominers on them, which is software that uses system resources heavily to mine cryptocurrency without the user knowing. The worm was able to infect servers, routers, web cameras, and other IoT devices. [3] Another recent example was the Gamaredon group’s Litterdrifter worm attack in November 2023. It was used to target Ukraine and steal sensitive information, and because of its nature as a worm it was able to spread beyond its intended targets to steal information from other vulnerable systems globally. [2] 

Mitigation

There are a variety of ways an employee can protect themselves from worms. First, good cybersecurity hygiene is a must, meaning that employees should regularly update their passwords, password complexity requirements should be sufficient, employees should perform due diligence when reviewing emails and stop themselves before they click the links within them among other measures. Companies should implement firewalls and antivirus software on all of their systems such as MalwareBytes, TotalAV, etc. Users should also look for the warning signs of a worm and report them right away, such as slow performance due to heavy resource usage, missing files, unrecognized programs and hidden/missing folders. The security team can then isolate the device from the network, assess how many devices have been infected and finally remove the worm using antivirus software. [5] 

Relevance

According to the AnyRun Malware Trends Overview Report, worms have fallen out of popularity compared to other forms of malware such as stealer software, which is designed around identity theft. [1] Cybercriminals can still use worms to accomplish similar tasks to what’s currently being utilized by cybercriminals, such as the Litterdrifter worm example mentioned. Such a worm was able to steal sensitive data which can be used for identity theft, accessing user accounts, using the information for more elaborate phishing attacks and so on. Antimalware software is constantly evolving, but so is malware, so corporations need to stay on their toes to avoid becoming victims. 

References

[1] ANY.RUN Team. (2025, January). Malware Trends Overview Report: 2024. ANY.RUN Cybersecurity Blog. https://any.run/cybersecurity-blog/malware-trends-2024

[2] Goodin, D. (2023, November). Normally targeting Ukraine, Russian state hackers spread USB worm worldwide. Ars Technica. https://arstechnica.com/security/2023/11/normally-targeting-ukraine-russian-state-hackers-spread-usb-worm-worldwide/

[3] Goodin, D. (2024, January). A previously unknown worm has been stealthily targeting Linux devices for a year. Ars Technica. https://arstechnica.com/security/2024/01/a-previously-unknown-worm-has-been-stealthily-targeting-linux-devices-for-a-year/

[4] Oltsik, J. (2014, February). Cybersecurity Canon: Worm. Palo Alto Networks Blog. https://www.paloaltonetworks.com/blog/2014/02/cybersecurity-canon-worm/

[5] Vigderman, A., & Turner, G. (2024, September). What Is a Computer Worm & How Do You Prevent Them? Security.org. https://www.security.org/antivirus/computer-worm/

[6] Yong, Z., & Xiao, C. (2009, January). Concept, characteristics and defending mechanism of worms. IEICE Communications Society. https://www4.comp.polyu.edu.hk/~csbxiao/paper/2009/IEICE-2009-worm.pdf